Template: Web Application Threat Model

07/14/2010

8 minutes to read

In this article

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Summary: This provides a template that shows you the type of data to gather as part of the threat modeling activity, together with relevant exit criteria for each step in the activity. The threat model can be used as input for deriving security test plans or test cases.

Contents

How to Use the TemplateApplication Name and DescriptionOwners, Authors, and StakeholdersRevision History1. Security Objectives2. Application Overview3. Application Decomposition4. Threats5. Vulnerabilities

How to Use the Template

Use this template to capture output from the threat modeling activity described in the document, "How To: Create a Threat Model for a Web Application at Design Time." The template contains instruction text, examples, and checkpoint criteria for each step in the activity.

You should review and update the output document (the threat model) generated from this template at regular intervals throughout the application life cycle. As your application design develops, you should be able to progressively add more detail to the output document.

Application Name and Description

<<Insert application name and brief description>>

Owners, Authors, and Stakeholders

Owners

Authors

Stakeholders

Revision History

Name

Change

Date

1. Security Objectives

List the goals and constraints that affect the confidentiality, integrity, and availability of your data and application.

Examples

The data access components trust the business components to pass fully validated data.

Data Flows

For your main data flows, identify where the data comes from, where it goes, and who can input data. Also identify what good data consists of: its length, range, format, and type. Highlight the key authorization mechanisms used during the data flow. If you have UML sequence diagrams or data flow diagrams, use them.

<<Insert data flow 1>>
<<Insert data flow 2>>
<<Insert data flow 3>>

Example

The following is an example of a data flow description:

An anonymous user submits a search string. The search string is accepted by the home page and is validated by a regular expression. The search string must be less than 50 characters in length and may include any combination of letters or numbers. The search string is passed to the data access component. The data access component calls a stored procedure, passing the search string as a single parameter.

Checkpoint

Before you finish this step, you should be able to answer the following questions:

Examples

Logon page. Accessible to all Internet users. Validated by using client-side and server-side validation controls, together with common validation library.

Amend customer details page. Accessible to authenticated users only. Validated by using client-side and server-side validation controls, together with common validation library. The page is used to update customer details.

GetCustomerDetails stored procedure. Can be called by the application's trusted service account only. Data validation is performed by upstream caller (trusted Web application business logic). The procedure invokes code that retrieves customer details.

Checkpoint

Before you finish this step, you should be able to answer the following question:

Can you list your entry points, particularly those at the trust boundaries?

Exit Points

Identify the points in your application where data is sent to the client. Prioritize the exit points where you write data from client input or from untrusted sources such as shared databases.

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.